Summary:ASTERISK-09321: [patch] strcasecmp in app_macro related to GOSUB returns a NULL causing a segfault.
Reporter:Brian West (bkw918)Labels:
Date Opened:2007-04-26 11:54:36Date Closed:2007-05-08 17:40:14
Versions:Frequency of
Environment:Attachments:( 0) 20070427__bug9602.diff.txt
( 1) 20070504__bug9602.diff.txt
Description:(gdb) bt#0  0x00a037f9 in strcasecmp () from /lib/tls/libc.so.6
#1  0x00f6f470 in macro_exec (chan=0xb55c2698, data=0xb56bc070) at app_macro.c:311
#2  0x0808b3b0 in pbx_exec (c=0xb55c2698, app=0xa1433e8, data=0xb56bc070, newstack=1) at pbx.c:574
#3  0x0808f030 in pbx_extension_helper (c=0xb55c2698, con=0x0, context=0xb55c27e8 "macro-dial", exten=0xb55c28dc "s", priority=7, label=0x0,     callerid=0xb55c3338 "6823653814", action=1) at pbx.c:1717
#4  0x080904bd in ast_spawn_extension (c=0xb55c2698, context=0xb55c27e8 "macro-dial", exten=0xb55c28dc "s", priority=7, callerid=0xb55c3338 "6823653814")    at pbx.c:2250
ASTERISK-1  0x08090a0d in __ast_pbx_run (c=0xb55c2698) at pbx.c:2316
ASTERISK-2  0x08091905 in pbx_thread (data=0xb55c2698) at pbx.c:2537
ASTERISK-3  0x00b48371 in start_thread () from /lib/tls/libpthread.so.0
ASTERISK-4  0x00a60ffe in clone () from /lib/tls/libc.so.6
Comments:By: Brian West (bkw918) 2007-04-26 12:08:47

This patch still will allow the race condition to take place.  The issue is "e" is disappearing between functions calls.  You would have to lock "e" or put it into a local var to fully fix this.  The same race can happen in ast_get_extension_app_data.


By: Tilghman Lesher (tilghman) 2007-04-26 12:20:49

Please upload a 'bt full' into the file upload area.

By: Brian West (bkw918) 2007-04-26 12:27:30

I no longer have them.  I have since removed the patch that introduced this issue and using app_macro from 1.2.16.  If I have time tonight i'll try to reproduce this issue again.  It takes about 24 hours to reproduce it and I suspect its related to reloading while this is processing and "e" just going away.


By: Tilghman Lesher (tilghman) 2007-04-26 12:59:06

Please test with this patch, then.

By: callguy (callguy) 2007-04-27 04:11:30

we hit this issue 4 times yesterday after upgrading to 1.2.18. we've installed the patch and will see how we fare today.

By: Tilghman Lesher (tilghman) 2007-04-27 08:06:35

Thought it over overnight, and I think it's probable that we're holding onto e a little long.  There's still a possible race, but it's much, much shorter with this second patch.

By: callguy (callguy) 2007-04-27 09:19:42

Tried the newer patch but it fails. Reject file uploaded.

By: callguy (callguy) 2007-04-27 09:20:52

Disregard my last post - I'm losing my mind. Forgot to revert to unpatched app_macro.c before applying the new patch.

By: callguy (callguy) 2007-04-27 16:07:57

Ok, had the first patch running today, and we did experience one crash this afternoon. We'll be installing the newer one tonight and will get a better sense on Monday if that resolves it.

By: callguy (callguy) 2007-05-01 11:04:12

We just experienced a crash with the 4/27 patch. It does seem to be much improved (we made it a day and a half without issue), but not completely resolved.

By: callguy (callguy) 2007-05-01 11:15:31

Here's the BT from the most recent:

(gdb) bt
#0  0x00abe359 in strcasecmp () from /lib/tls/libc.so.6
#1  0xb799944e in macro_exec (chan=0xb76213e0, data=0xb56fd0a0) at app_macro.c:311
#2  0x080918ed in pbx_extension_helper (c=0xb76213e0, con=Variable "con" is not available.
) at pbx.c:574
#3  0x08092bb6 in __ast_pbx_run (c=0xb76213e0) at pbx.c:2250
#4  0x0809474c in pbx_thread (data=0x0) at pbx.c:2537
ASTERISK-1  0x00c03341 in start_thread () from /lib/tls/libpthread.so.0
ASTERISK-2  0x00b1b6fe in clone () from /lib/tls/libc.so.6
(gdb) bt full
#0  0x00abe359 in strcasecmp () from /lib/tls/libc.so.6
No symbol table info available.
#1  0xb799944e in macro_exec (chan=0xb76213e0, data=0xb56fd0a0) at app_macro.c:311
       tmp = 0xb56f8240 "join-meetme"
       cur = 0x0
       rest = 0x0
       macro = 0xb56f8240 "join-meetme"
       fullmacro = "macro-join-meetme\000le\000\000\000\000?23b??23b??017\b\000\000\000\200\000\000\000\000\000\000\000\000?\b\200~o?\000\000\000\000pno???\b?\027b??23b?pno?"
       varname = "ARG2", '\0' <repeats 75 times>
       oldargs = {0x0 <repeats 81 times>}
       argc = 3
       x = 0
       res = 0
       oldexten = "6173990701", '\0' <repeats 245 times>
       oldpriority = 4
       gosub_level = 0
       pc = "4", '\0' <repeats 78 times>
       depthc = "1\000\000\000\000\000\000\000\000\000\000"
       oldcontext = "pstn-in", '\0' <repeats 72 times>
       offsets = 0x0
       s = 0x0
       inhangupc = 0x0
       offset = 0
       depth = 0
       maxdepth = 7
       setmacrocontext = 1
       autoloopflag = 512
       dead = 0
       inhangup = 0
       save_macro_exten = 0x0
       save_macro_context = 0x0
       save_macro_priority = 0x0
       save_macro_offset = 0x0
       u = (struct localuser *) 0x94d9230
       c = (struct ast_context *) 0x8fc3a60
       e = (struct ast_exten *) 0x8c84c90
       __PRETTY_FUNCTION__ = "macro_exec"
#2  0x080918ed in pbx_extension_helper (c=0xb76213e0, con=Variable "con" is not available.
) at pbx.c:574
       e = (struct ast_exten *) 0x8acf2e0
       sw = Variable "sw" is not available.

By: Brian West (bkw918) 2007-05-04 12:06:04

I wasn't using GOSUB when I encounted this crash... so its SO isn't related to GOSUB its related to e going bye bye :P


By: Tilghman Lesher (tilghman) 2007-05-04 12:36:57

callguy:  new patch for you to test.

By: callguy (callguy) 2007-05-08 16:08:06


We've made it through a couple of days on very heavily utilized servers without incident. I think you can commit the 5/04 patch.

By: Tilghman Lesher (tilghman) 2007-05-08 17:40:14

Committed in revision 63477, merged in 63478, 63479.